X-Force Changes Vulnerability Disclosure Policy
BitHive writes "ISS has changed their policy for announcing security vulnerabilities. The new guidelines will give vendors thirty days to come up with a fix before disclosure is made, though there are a number of exceptions that can prompt faster disclosure. From the PC World article, these are: "The vendor issues a patch or announcement; an in-depth discussion of the problem occurs on a public mailing list; active exploitation of any form of the vulnerability occurs on the Internet; ISS receives reliable evidence that a vulnerability is in the wild; the media reports the vulnerability; or the vendor is unresponsive.""
my spam and virus filters will block all 30-day communications from X-Force, and we will all be doomed.
hi, I like pancakes -.-- -.-- --..
We need a more responsible disclosure policy.
While I commend X-Force's policy for trying to be responsible, I would suggest that they ammend their policy in the following manner.
If the vulnerable systems are made by Microsoft then the vulnerability with a working exploit should be disclosed immediately.
I'll see your senator, and I'll raise you two judges.